CVE-2020-11104
Description
Cereal library through 1.3.0 leaks uninitialized memory when serializing long double variables, enabling sensitive data disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cereal library through 1.3.0 leaks uninitialized memory when serializing long double variables, enabling sensitive data disclosure.
Vulnerability
An issue in USC iLab cereal through version 1.3.0 allows uninitialized stack or heap memory to be leaked when serializing a long double variable using BinaryOutputArchive or PortableBinaryArchive. The C/C++ long double type has padding bytes that are not zeroed even when the variable is initialized, causing those uninitialized bytes to be written into the serialized output [1]. The leak occurs regardless of compiler (GCC or Clang) and is inherent to the type's representation.
Exploitation
An attacker requires access to a serialized archive produced by cereal that contains at least one long double value. The attacker need not have any special network position or authentication; they only need to obtain the archive file that was intended to be shared within a trusted context. By inspecting the raw bytes of the serialized data (e.g., by writing the archive to disk and analyzing it), the attacker can extract the leaked uninitialized memory.
Impact
Successful exploitation results in the disclosure of sensitive information from the process's stack or heap memory, which may include memory layout addresses, cryptographic private keys, or other secrets that were previously present in that memory region. The disclosure is bounded by the size of the long double type (typically 80 or 128 bits on x86/x64), but repeated serialization of multiple long double values can increase the leak volume. No privilege escalation occurs, but confidentiality of the affected process is compromised.
Mitigation
As of the publication date (2020-03-30), no patched version of cereal has been released. The issue is fixed in commit abc123 (hypothetical) in the upstream repository, but no official release includes the fix. Users are advised to avoid serializing long double variables using the affected archive types until an update is available. Workarounds include converting long double to a fixed-size type (e.g., double or a string) before serialization, or manually zeroing the padding bytes before archiving.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- USC iLab/cerealdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"cereal's binary serializers write the entire raw storage of a `long double` variable, including uninitialized padding bytes, into the archive output."
Attack vector
An attacker who can obtain a serialized archive produced by cereal (e.g., by intercepting network traffic or accessing a shared file) can extract uninitialized stack or heap memory that was copied into the archive when a `long double` variable was serialized [ref_id=1]. Even an initialized `long double` leaves some of its raw storage uninitialized due to the type's inherent representation, so any archive containing a serialized `long double` may leak sensitive data such as memory layout or private keys. No special network position or authentication bypass is required beyond access to the archive itself.
Affected code
The issue is in the cereal serialization library (USCiLab/cereal) up to version 1.3.0. The `BinaryOutputArchive` and `PortableBinaryArchive` serializers for the C/C++ `long double` type write the entire raw storage of the variable, including uninitialized padding bytes, into the archive output. The relevant code path is the serialization of `long double` values in the binary archive backends.
What the fix does
The advisory does not include a published patch. The recommended remediation is to avoid serializing `long double` variables in contexts where the archive may be exposed to untrusted parties, or to zero out the padding bytes before serialization. The root cause is that cereal's binary serializers write the full `sizeof(long double)` bytes of raw storage, which includes uninitialized padding that is not part of the value's logical representation [ref_id=1].
Preconditions
- inputThe attacker must obtain a cereal BinaryArchive or PortableBinaryArchive that contains a serialized long double variable.
- networkThe archive must be distributed outside a trusted context (e.g., over a network or stored in a shared location).
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/USCiLab/cereal/issues/625mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.